The other day, I was converting a customer’s domain hosted within Office 365 from using ADFS based authentication to using the native Azure AD based authentication. As part of the de-federation process, I wanted to check if the users have been successfully de-federated – I knew the PowerShell command for viewing if the domain had been successfully de-federated but there didn’t seem to be a documented command to make sure that the users had been de-federated.

Now I also spoke with Microsoft Office 365 support as I did encounter some issues with the de-federation and they sent me a different command to check if the users are federated. In this instance, you need to connect to the MSOL Service, but you can use the same PowerShell window:

PowerShell

1

Connect-MsolService

Once connected, run the following oneliner:

PowerShell

1

get-msoluser-all|FTimmutableID,DisplayName

Microsoft Support told me that if a user has an Immutable ID, then the user is still federated. I am still trying to confirm this, but if Microsoft Support is telling me that, then I can only assume it is true.